MISRA Discussion Forums

Welcome, Guest

You have to register before you can post on our site.

19.4 - is typedef considered to be a type qualifier?

Posted by: mishak - 14-04-2011, 04:07 PM - Forum: 6.19 Preprocessing Directives - Replies (1)

	The C standard states that "The typedef specifier is called a â€˜â€˜storage-class specifierâ€™â€™ for syntactic convenience only;". Does 19.4 allow a macro to expand to 'typedef'?

Underlying type for integer constant expressions

Posted by: Mats Fors - 12-04-2011, 09:30 AM - Forum: 6.10 Arithmetic Type Conversions - Replies (1)

The initialization:
uint8_t d = ((uint8_t) 0x1U) | ((uint8_t) 0x2U);
should, according to the MISRA-C guidelines, generate an error for rule 10.1. The initializer, i.e. the integer constant expression, has the underlying type of uint8_t, but that type is overruled by the explicit rule for integer constant expressions in 6.10.4 that says that the signedness/unsignedness of the underlying type should be taken from the actual type of the integer constant expression, but only if it is signed or unsigned int. In this case it is signed int. Giving the rule 10.1 breakage. Is this really the intention of the MISRA-C guidelines for integer constant expressions?

Rule 15.4 - no boolean switch expressions

Posted by: eddieh - 08-04-2011, 01:02 PM - Forum: 6.15 Switch Statements - Replies (1)

I don't believe my compiler's interpretation of rule 15.4 is consistent with the Standard's...

The Standard says:

Code:
switch( x == 0 )

{

    ...

is non-compliant, which seems reasonable. However, my compiler complains about:

Code:
enum_type x;

switch( x )

{

    case ENUM_A :

        do_stuff;

        break;

    default :

        /* No action */

        break;

}

Because 'x' is an enumerated type, I like to make it clear that we do_stuff for a particular subset of possible values.

What is intended interpretation of this rule? There is no explanation in the Standard.

Many thanks in advance for any comments.

Cheers,
Eddie.

Meaning of rule 8.4 for function prototypes

Posted by: dcrocker - 30-03-2011, 08:02 AM - Forum: 6.8 Declarations and Definitions - Replies (1)

Consider the following:

File1.h:
typedef short int int16_t;

File2.h:
short int foo(short int a);

File3.h:
int16_t foo(int16_t a);

Does this break any MISRA rules? I ask because rule 8.3 states that for a function, the types in the prototype must match the types in the definition *exactly*. However, rule 8.4 states that when an object *or function* is declared more than once, the types in the declarations must be compatible, which is a weaker requirement. Why were the words "or function" included in rule 8.4?

My intepretation is that if my source code includes a definition of function foo, then I must be violating rules 8.3 (because at most one of the prototypes can have types that exactly match the types in the definition); but it my code doesn't include a definition for foo (e.g. because it is in a compiler-supplied library), I am free to provide two or more prototypes for it with non-identical but compatible types.

Pointer type conversions to char*

Posted by: dcrocker - 24-03-2011, 05:15 PM - Forum: 6.11 Pointer Type Conversions - Replies (1)

I have recently come across code similar to the following:

Code:
void serialize(const uint8 data[], size_t length);

int16 myData;

...

serialize((const uint8*)&myData, sizeof(myData));    /* violates MISRA 11.4 */

serialize((const void*)&myData, sizeof(myData));     /* obscures what is going on, but allowed by MISRA */

It seems to me perverse that the first call violates a MISRA rule (even though casting any pointer to a char* does not give rise to alignment issues, see 6.3.4 in the standard), whereas the second contains a potentially dangerous implicit type conversion from void* to another pointer type (imagine that the parameter to serialize had been declared as "const uint32[]" instead).

One possibility is to declare the parameter to serialize as having type const void* instead, but I'm not sure I like this, and it would be necessary to convert it to uint8* anyway inside serialize.

I would prefer to see MISRA C3 amend the rules along the following lines:

1. Explicit casts from an object pointer type to signed or unsigned char* are permitted;

2. Implicit casts from void* to any other type are not permitted. [I don't understand why the MISRA standard ever allowed them.]

3. Maybe a rule along the lines of "A pointer of type void* may only be converted to the same pointer type that it was originally derived from" (with the usual permission to add cv-qualifiers). Perhaps also permitting void* to be converted to signed/unsigned char*.

Any comments?

Identifier used as variable and function-like macro

Posted by: dcrocker - 23-03-2011, 04:49 PM - Forum: 6.19 Preprocessing Directives - Replies (1)

I recently came across some code similar to the following:

Code:
#define Sum(_x, _y) ((_x) + (_y))

int Sum;

The identifier Sum is used both as the name of a function-like macro and as the name of a variable. Does this violate any MISRA-C 2004 rules? The occurrence of the identifier Sum in the variable declaration is not an instantiation of the macro, because the following preprocessing token is not '(' (section 6.8.3 of the C90 standard), so it appears that rule 19.8 does not apply. It might be considered that rule 5.6 is violated, but section 6.1.2.3 of the standard does not mention a namespace for preprocessor macro names. It could also be considered that rule 5.7 is violated, depending on the interpretation of the word "reused".

Why is the code below cited for violation of MISRA 13.6

Posted by: kalpak - 03-03-2011, 09:33 AM - Forum: 6.13 Control Statement Expressions - Replies (2)

Why is the last code line (array element initialization) in the code below being cited for 13.6 violation by Crystal Revs MISRA checker:

Code:
/*Test code for Crystal revs MISRA rule 13.6 */

typedef unsigned char uint8_t

void InitArray(void);

#define LCD_NUM_OF_COLS 2u

#define LCD_NUM_OF_ROWS    10u

uint8_t Test_Array[LCD_NUM_OF_COLS][LCD_NUM_OF_ROWS];

void InitArray(void)

    {

    uint8_t row_index = 0u;

    uint8_t col_index = 0u;    

    for (col_index = 0u; col_index < LCD_NUM_OF_COLS; col_index++)

        {

        for (row_index=0u; row_index < LCD_NUM_OF_ROWS; row_index++)    

            {

            /*    make each element of the array the char NULL    */

            Test_Array[col_index][row_index] = 0u;    

            }    

        }

    }

thanks,
kalpak

Rule 10.1, Rule 6.5 and Boolean bit-fields

Posted by: joelek - 18-01-2011, 09:29 PM - Forum: 6.10 Arithmetic Type Conversions - Replies (4)

Is there a MISRA-compliant way to have effectively boolean bit-fields? Single bit-fields can't be signed per Rule 6.5. So the bit-fields must be unsigned. Now we need to pick the signedness of the boolean type.

If we go with

Code:
typedef signed int TBool;

then we're going to be violating Rule 10.1 whenever we assign between the unsigned bit-field and the signed boolean type. E.g.:

Code:
myFlags.unsignedBit = signedBoolFlag; /* Implicitly converting signed to unsigned */

   signedBoolFlag = myFlags.unsignedBit; /* Implicitly converting unsigned to signed */

If we go with

Code:
typedef unsigned int TBool;

then we're going to be violating Rule 10.1 whenever we do something like

Code:
unsignedBoolFlag = (c > d); /* Implicitly converting signed to unsigned */

because the boolean expression is technically signed int.

Are boolean bit-fields something that MISRA C is trying to prevent? Are they dangerous? I know I could be using casts, but that gets ugly quickly, and pervasive casts bypass type checking and pretty much defeat the purpose of the MISRA rules in the first place.

One thing I thought of is to define something like

Code:
#define ISTRUE(cond) ((cond) ? TRUE : FALSE)

and then I can use

Code:
unsignedBoolFlag = ISTRUE(c > d); /* Fine as long as TRUE and FALSE are unsigned */

This may or may not be less efficient than without the ISTRUE() macro, depending on the compiler and optimizations. But it's still ugly.

Thanks,
- Joel

ISO 26262 focuses on stating requirements, MISRA SA provides

Posted by: mragupat - 18-01-2011, 05:08 AM - Forum: MISRA SA discussions - No Replies

I have received a news letter which states that "A reminder that the MISRA Guidelines for Safety Analysis of Vehicle Based Programmable Systems (MISRA SA) will be very helpful to an organization seeking to implement functional safety management processes for the first time. While ISO 26262 focuses on stating requirements, MISRA SA provides guidance on understanding such requirements."

I don't have idea about ISO 26262. Process champion is looking for more details. Is this MISRA SA applicable for software team??? Please let me know what is the advantage to the community if we follow this process?

Rule 11.5 and char/string constants

Posted by: armand - 12-01-2011, 04:36 PM - Forum: 6.11 Pointer Type Conversions - Replies (3)

Hi,

Whilst testing my implementation of rule 4.2 with a simple example, I got a warning about rule 11.5. It is on the following simple example:

void main() {
char * x="abcd";
return;
}

that is automatically translated by CIL into the following C code, where one can notice a new cast.

void main() {
char *x;
x=(char *)"abcd";
}

the 11.5 warning concerns the assignment, where it complains that the attribute const has been lost.
Indeed, the rhs expression has type const char *, so this seems normal.

A correct writing would be:

void main() {
char *x;
char content[4]="abcd";
x=&content[0];
}
which does not generate the 11.5 warning as we have well typed the constant and assigned the first element's address into x.
BUT, now I get a warning about rule 9.2 explaining that I haven't a braced expression on the rhs of the assignement, to initialize the array!!

I can correct this by decomposing "abcd" into {'a','b','c','d''} which removes the last warning but gets tedious.

So my question is: does MISRA discourage programmers from using strings?

Pages (100): « Previous 1 … 66 67 68 69 70 … 100 Next »

Search Forums

(Advanced Search)

Forum Statistics

» Members: 6,171
» Latest member: stephanmuench
» Forum threads: 998
» Forum posts: 2,752

Full Statistics

Online Users

There are currently 389 online users.
» 0 Member(s) | 387 Guest(s)
Bing, Google

Latest Threads

Rule 6.2.1: non-inline co...
Forum: 4.6 Basic concepts
Last Post: cgpzs
22-11-2024, 10:11 AM
» Replies: 0
» Views: 35

Rule 0.1.2
Forum: 4.0 Language independent issues
Last Post: stephanmuench
21-11-2024, 01:12 PM
» Replies: 0
» Views: 44

A18-9-4
Forum: AUTOSAR C++:2014 rules
Last Post: cgpzs
23-10-2024, 12:04 PM
» Replies: 2
» Views: 393

A8-4-5: are partial moves...
Forum: AUTOSAR C++:2014 rules
Last Post: misra cpp
22-10-2024, 02:03 PM
» Replies: 1
» Views: 336

model information blocks ...
Forum: MISRA AC SLSF discussions
Last Post: misra-ac
22-10-2024, 01:27 PM
» Replies: 1
» Views: 4,459

MISRA AL SLSF - Rule 043I
Forum: MISRA AC SLSF discussions
Last Post: misra-ac
22-10-2024, 01:11 PM
» Replies: 1
» Views: 8,874

MISRA AC EC guidelines
Forum: MISRA AC SLSF discussions
Last Post: misra-ac
21-10-2024, 08:21 AM
» Replies: 4
» Views: 15,521

News on future releases
Forum: MISRA AC SLSF discussions
Last Post: misra-ac
21-10-2024, 08:05 AM
» Replies: 1
» Views: 5,706

Signal naming convention ...
Forum: MISRA AC SLSF discussions
Last Post: misra-ac
21-10-2024, 07:57 AM
» Replies: 1
» Views: 7,258

Rule 7.0.2: operator cons...
Forum: 4.7 Standard conversions
Last Post: karos
14-10-2024, 08:52 PM
» Replies: 2
» Views: 447

Login
Username:
Password:
	Remember me Lost Password?

Welcome to the MISRA discussion forum